b'                                                OFFICE OF INSPECTOR GENERAL\n                                                                        MEMORANDUM\n\n\n\n\nDATE:          January 10, 2003\n\nTO:            Chairman\n\nFROM:          Inspector General\n\nSUBJECT:       Report on the Follow-up Audit of Computer Controls at the FCC Consumer\n               Center\n\nThe Office of Inspector General (OIG) has completed a Follow-up Audit of Computer Controls\nat the FCC Consumer Center. A copy of our report, entitled \xe2\x80\x9cFollow-up Audit on Computer\nControls at the FCC Consumer Center\xe2\x80\x9d (Audit Report No. 01-AUD-07-30), is attached. The\nobjective of this audit was to determine the current status of conditions identified in Audit\nReport No. 00-AUD-01-12, entitled \xe2\x80\x9cReport on Audit of Computer Controls at the FCC\nConsumer Center\xe2\x80\x9d that was issued on June 21, 2000.\n\nTo accomplish the objectives of this follow-up audit, we contracted with the public accounting\nfirm of KPMG, LLP (KPMG). Under our supervision, KPMG first reviewed the status of each\ncondition as reported by FCC management. The KPMG review team conducted a site visit to the\nFCC Consumer Center, interviewed staff, reviewed documentation, and performed other tests\ndeemed necessary. Finally, KPMG evaluated the status of technical controls by executing\nautomated tools and manual tests on the Consumer Center\xe2\x80\x99s UNIX and NT servers, as well as the\nSybase databases administered by the Consumer and Governmental Affairs Bureau (CGB) and\nthe Information Technology Center (ITC).\n\nOf the one hundred and three (103) findings in the original audit, sixty six (66) findings were\nreviewed. The remaining thirty seven (37) findings were either duplicates or were otherwise\ndetermined to be outside the scope of this audit. The follow-up audit identified twenty one (21)\nopen findings. In addition, the follow-up audit identified four (4) new conditions. We\nrecommend that the problems we identified be corrected to strengthen the security of the\nCommission\xe2\x80\x99s Consumer Center information technology program. Our recommendations will\ncorrect present problems and minimize the risk that future security problems will occur. All\nrecommendations contained in the attached report will be tracked for reporting purposes by the\nOIG.\n\x0cAppendix A of the attached report is a summary of all open audit findings and new conditions.\nAppendix B contains the detailed results of our audit. Appendix C lists the new conditions\nidentified during this follow-up.\n\nOn September 30, 2002, we issued a draft report summarizing the results of our audit. In that\ndraft report, we requested that OMD and CGB prepare a joint response to the open and new\nfindings and recommendations presented in our report and that the response be provided by\nOctober 18, 2002. On October 18, 2002, we received a request from the Commission\xe2\x80\x99s\ncomputer security officer to extend the due date for the response to November 1, 2002. No\nadditional request for extension was received. On November 27, 2002, we received a response\nto our draft report1.\n\nIn their response, OMD and CGB indicated concurrence with the recommendations made for all\ntwenty five (25) new and open findings. For seventeen (17) findings, OMD and CGB outlined\nthe corrective action taken and/or a milestone schedule for implementation of corrective action.\nOMD and CGB partially concurred with eight (8) findings. We have included a copy of the\nresponse from OMD and CGB in its entirety as Appendix D to this report. Where OMD and/or\nCGB disagreed with the finding, or to further clarify our position, we have added a section titled\n\xe2\x80\x9cOIG Comments,\xe2\x80\x9d to explain our position or provide additional comment.\n\nBecause of the sensitive nature of the information contained in these appendices to this report,\nwe have classified all as, \xe2\x80\x9cNon-Public \xe2\x80\x93 For Internal FCC Use Only\xe2\x80\x9d and have limited\ndistribution. Those persons receiving this report are requested not to photocopy or otherwise\ndistribute this material.\n\n\n\n\n                                                               H. Walker Feaster III\n                                                               Inspector General\n\n\nAttachment\n\ncc:        Chief, Consumer and Governmental Affairs Bureau\n           Managing Director\n           Chief Information Officer\n           AMD \xe2\x80\x93 PERM\n\n\n\n1\n    The ITC/CGB response was dated on November 22, 2002. However, it was not provided to the OIG until November 27, 2002.\n\x0cFederal Communications Commission\n     Office of Inspector General\n\n\n\n\nReport on Follow-up Audit on Computer Controls at\n            the FCC Consumer Center\n\n\n\n\n              Report No. 01-AUD-07-30\n                  January 10, 2003\n\x0c               TABLE OF CONTENTS\n\n                                                   Page\n\n\nEXECUTIVE SUMMARY                                  2\n\n\nBACKGROUND                                         3\n\n\nOBJECTIVE                                          4\n\n\nSCOPE                                              5\n\n\nOBSERVATIONS                                       5\n\n\nAPPENDIX A             Findings Summary            A-1\n\n\nAPPENDIX B             Detailed Findings           B-1\n\n\nAPPENDIX C             New Conditions Identified   C-1\n\n\nAPPENDIX D             Fact Sheet                  D-1\n\n\n\n\n                       1\n\x0c       Executive Summary\n\n\nOn June 21, 2000, the Office of Inspector General (OIG) issued Audit Report No. 00-\nAUD-01-12 entitled \xe2\x80\x9cReport on Audit of Computer Controls at the FCC National Call\nCenter\xe2\x80\x9d summarizing the results of an audit of the FCC Consumer Center, formerly\nknown as the National Call Center. The objective of this audit was to examine the\nConsumer Center\xe2\x80\x99s automated computer system and the environment in which it operates\nto ensure that adequate security safeguards exist to protect Consumer Center data.\n\nThe report noted that significant technical control and internal control improvements\ncould be made to improve the overall security posture of the Consumer Center. The\nreport contained one hundred three (103) specific observations and the review team\nconcluded that the computer system general controls as implemented at the Consumer\nCenter were not sufficient to meet minimum-security requirements. The one hundred\nthree (103) findings covered issues in Unix, Windows NT, and Sybase controls, physical\nsecurity, continuity of operations, policies and procedures, change controls, segregation\nof duties, and network security. The Commission concurred with all of the reported\nfindings and developed corrective action plans to address the findings.\n\nThe OIG engaged KPMG LLP (KPMG) to perform the follow-up audit on the Consumer\nCenter findings. The objective of this audit was to determine which findings from the\naudit were closed and which were open. Specifically excluded were conditions related to\nphysical security and other conditions determined by the OIG to be outside the scope of\nthe audit. For example, seven (7) findings dealing with slightly different aspects of\nUNIX file protection were combined into one finding. Also, we are planning to conduct\na comprehensive physical security review in Fiscal Year 2003 which will cover the\nphysical security issues. As a result, we are not following up on physical security\nfindings in this review. In total, sixty-six (66) of the original one hundred three (103)\nconditions were followed up on during the audit. The guideline for performing this audit\nwas the Federal Information System Control Audit Manual (FISCAM). Additional\nguidance was received from the National Institute of Standards and Technology (NIST)\nand other laws and directives related to management and protection of Federal\ninformation resources including the FCC\xe2\x80\x99s \xe2\x80\x9cComputer Security Program Directive\xe2\x80\x9d (FCC\nInstruction 1479.2).\n\nTo achieve our objective, the audit team first reviewed the status of each condition as\nreported by FCC management. To determine the appropriateness of the reported status\nand the current status of conditions, the review team conducted fieldwork from April 18,\n2002 through July 23, 2002. A site visit to the FCC Consumer Center in Gettysburg,\nPennsylvania was conducted on May 2, 2002 to follow up technical conditions. An\nadditional site visit was conducted on May 6, 2002 through May 7, 2002 to review\ngeneral control conditions. The remaining fieldwork was performed from the FCC\xe2\x80\x99s\nPortals location in Washington, DC. The status of general control conditions, which\naddressed Security Program Planning and Management, Application Software\nDevelopment and Change Controls, System Software, Segregation of Duties, and Service\n\n\n                                            2\n\x0cContinuity Service Continuity, were determined through staff interviews, review of\ndocumentation, and other tests deemed necessary. The status of technical controls\nconditions, which addressed Access Controls, were evaluated by executing automated\ntools and manual tests on the Consumer Center\xe2\x80\x99s UNIX and NT servers, as well as the\nSybase databases administered by the Consumer and Governmental Affairs Bureau\n(CGB) and the Information Technology Center (ITC).\n\nThis report details our observations and documents the status of each of the conditions\nfollowed-up on. The audit also resulted in the identification of additional control\nweaknesses. Specifically, of the sixty-six (66) findings followed up on, twenty-one (21)\nwere determined to have an open status, forty-five (45) were identified as closed. The\naudit also resulted in the identification of four (4) new conditions.\n\nOn July 1, 2002, we met with representatives from the ITC, CGB, and the FCC Security\nOffice to discuss preliminary findings. In response, ITC and CGB provided informal\nwritten comments.\n\nOn September 30, 2002, we issued a draft report summarizing the results of our audit. In\nthat draft report, we requested that OMD and CGB prepare a joint response to the open\nand new findings and recommendations presented in our report and that the response be\nprovided by October 18, 2002. On October 18, 2002, we received a request from the\nCommission\xe2\x80\x99s computer security officer to extend the due date for the response to\nNovember 1, 2002. No additional request for extension was received. On November 27,\n2002, we received a response to our draft report1.\n\nIn their response, OMD and CGB indicated concurrence with the recommendations made\nfor all twenty five (25) new and open findings. For seventeen (17) findings, OMD and\nCGB outlined the corrective action taken and/or a milestone schedule for implementation\nof corrective action. OMD and CGB partially concurred with eight (8) findings. We\nhave included a copy of the response from OMD and CGB in its entirety as Appendix D\nto this report. Where OMD and/or CGB disagreed with the finding, or to further clarify\nour position, we have added a section titled \xe2\x80\x9cOIG Comments,\xe2\x80\x9d to explain our position or\nprovide additional comment.\n\nBecause of the sensitive nature of the information contained in the appendices, we have\nmarked them all \xe2\x80\x9cNon-Public \xe2\x80\x93 For Internal Use Only\xe2\x80\x9d and have limited distribution.\nThose persons receiving this report are requested not to photocopy or otherwise distribute\nthis material.\n\nBackground\n\nThe Federal Communications Commission (FCC) Office of the Inspector General (OIG)\nis responsible for conducting audits and investigations of FCC operations and programs.\nThe OIG provides leadership and recommends policies for activities designed to prevent\nand detect fraud, waste, and abuse and to promote economy, efficiency, and effectiveness\n\n1\n    The ITC/CGB response was dated on November 22, 2002. However, it was not provided to the OIG until November 27, 2002.\n\n\n\n                                                               3\n\x0cof FCC programs and operations. Since its creation in 1988, the OIG has performed\nnumerous reviews, inspections, and audits to evaluate the effectiveness of controls\ndesigned to ensure the protection of Commission personnel and property. For example,\nthe OIG has performed several reviews evaluating the security of the Commission\xe2\x80\x99s\nInformation Technology (IT) infrastructure (e.g., security of network components, data\ncenters, hub rooms, wiring closets, etc.) and several reviews to evaluate the physical\nsecurity of Commission workspace.\n\nOn June 21, 2000, the OIG issued Audit Report No. 00-AUD-01-12 entitled \xe2\x80\x9cReport on\nAudit of Computer Controls at the FCC National Call Center\xe2\x80\x9d summarizing the results of\nour audit of the FCC Consumer Center, formerly known as the National Call Center. The\nobjective of this audit was to examine the Consumer Center\xe2\x80\x99s automated computer\nsystem and the environment in which it operates to ensure that adequate security\nsafeguards exist to protect Consumer Center data.\n\nThe report noted that significant technical control and internal control improvements\ncould be made to improve the overall security posture of the Consumer Center. The\noriginal report contained one hundred three (103) specific observations in the area of\ninternal controls including: Security Program Planning and Management, Access\nControls, Application Software Development and Change Controls, System Software,\nSegregation of Duties, and Service Continuity. Accordingly, the review team concluded\nthat the computer system general controls as implemented at the Consumer Center were\nnot sufficient to meet minimum-security requirements\n\nThe one hundred three (103) findings covered issues related to Unix, Windows NT, and\nSybase controls, physical security, continuity of operations, policies and procedures,\nchange controls, segregation of duties, and network security. Thirteen (13) were\nclassified with a high level of risk, fifty-two (52) with a medium level of risk, and thirty-\neight (38) with a low level of risk. The Commission concurred with all of the reported\nfindings and developed corrective action plans to address the findings.\n\nThe guideline for performing this audit was the Federal Information System Control\nAudit Manual (FISCAM). Additional guidance was received from the National Institute\nof Standards and Technology (NIST) and the following laws and directives related to\nmanagement and protection of Federal information resources:\n\n\xc2\x84   Presidential Decision Directive (PDD) 63, entitled \xe2\x80\x9cCritical Infrastructure\n    Protection.\xe2\x80\x9d\n\xc2\x84   PDD-67, entitled \xe2\x80\x9cContinuity of Operations Planning (COOP).\xe2\x80\x9d\n\xc2\x84   Office of Management and Budget (OMB) Circular A-130, entitled \xe2\x80\x9cManagement of\n    Federal Information Resources,\xe2\x80\x9d as revised on November 30, 2000.\n\xc2\x84   OMB M-97-16, entitled \xe2\x80\x9cInformation Technology Architectures.\xe2\x80\x9d\n\xc2\x84   OMB M-97-02, entitled \xe2\x80\x9cFunding Information Systems Investments.\xe2\x80\x9d\n\xc2\x84   The Computer Security Act of 1987 (PL 100-235).\n\xc2\x83   FCC Instruction 1479.2, \xe2\x80\x9cComputer Security Program Directive.\xe2\x80\x9d\n\n\n\n\n                                             4\n\x0cObjective\n\nThe purpose of this audit was to determine the current status of the conditions at the FCC\nConsumer Center identified in Audit Report No. 00-AUD-01-12, entitled \xe2\x80\x9cReport on\nAudit of Computer Controls at the FCC Consumer Center\xe2\x80\x9d.\n\nTo achieve our objective, the audit team first reviewed the status of each condition as\nreported by FCC management. To determine the appropriateness of the reported status\nand the current status of conditions, the review team conducted a site visit to the FCC\nConsumer Center. The status of general control conditions, which addressed control\nareas of Security Program Planning and Management, Application Software\nDevelopment and Change Controls, System Software, Segregation of Duties, and Service\nContinuity Service Continuity, were determined through staff interviews, review of\ndocumentation, and other tests deemed necessary. The status of technical controls which\naddressed the control area of Access Controls were evaluated by executing automated\ntools and manual tests on the Consumer Center\xe2\x80\x99s UNIX and NT servers, as well as the\nSybase databases administered by the Consumer Governmental Bureau (CGB) and the\nInformation Technology Center (ITC).\n\nScope\n\nThe scope of this engagement consisted of control weaknesses identified in the OIG\xe2\x80\x99s\nprior report on the Consumer Center, Audit Report No. 00-AUD-01-12, Report on Audit\nof Computer Controls at the FCC National Call Center, issued June 21, 2000. The scope\nof this task order was to determine which findings from the prior audit were closed or\nopen. For closed findings, the contractor performed appropriate tests to determine if the\nclosed status was appropriate. For findings reported as open, the contractor determined if\nthe condition still existed and if the open status was still appropriate. Our procedures\nwere designed to comply with applicable auditing standards and guidelines, specifically\nthe Generally Accepted Government Auditing Standards (GAGAS).\n\nThe review team conducted fieldwork from April 18, 2002 through July 23, 2002. A site\nvisit to the FCC Consumer Center in Gettysburg, Pennsylvania was conducted on May 2,\n2002 to follow up technical conditions. An additional site visit was conducted on May 6,\n2002 through May 7, 2002 to review general control conditions. The remaining\nfieldwork was performed from the FCC\xe2\x80\x99s Portals location in Washington, DC.\n\nSpecifically excluded from this audit were conditions related to physical security,\nconditions determined to affect the FCC as a whole and other conditions which did not\nwarrant follow-up as, determined by the OIG. In total, sixty-six (66) of the one hundred\nthree (103) conditions were reviewed and thirty-seven (37) were excluded. Our objective\nwas to determine the appropriateness of the status of conditions reported by FCC\nmanagement and determine which findings from the audit were closed and which were\nopen.\n\n\n\n\n                                            5\n\x0cObservations\n\nThe FCC Consumer Center findings identified during the original audit of computer\ncontrols covered issues in Unix, Windows NT, and Sybase controls, physical security,\ncontinuity of operations, policies and procedures, change controls, segregation of duties,\nand network security.\n\nIncluded in our follow-up audit were sixty-six (66) of the one hundred three (103) FCC\nConsumer Center conditions identified in Audit Report No. 00-AUD-01-12. FCC\nmanagement had reported sixty-four (64) of the sixty-six (66) conditions as resolved\nthrough corrective actions taken subsequent to issuance of Audit Report No. 00-AUD-01-\n12. Two (2) conditions were reported as unresolved and thus open at the time that our\naudit commenced.\n\nOf the sixty-six (66) conditions that were reviewed, the audit identified twenty-one (21)\nconditions with an \xe2\x80\x98open\xe2\x80\x99 status, forty-five (45) with a \xe2\x80\x98closed\xe2\x80\x99 status, and four (4) new\ncontrol weaknesses. Represented in the open conditions are twenty (20) that were\ndetermined to exist in the Consumer Center environment at the time of our audit which\nhad been reported as resolved by FCC management prior to the audit. As a result, these\nconditions have been re-opened. From our review, we were able to ascertain that some of\nthese conditions may have re-opened for reasons including the degradation of security\ncontrols after the initial corrective action was taken, introduction of new hardware which\nmay not have been properly configured, or subsequent changes made by personnel with\nadministrative and maintenance duties.\n\nOf those conditions determined to have an open status, five (5) were classified as having\nhigh levels of risk, thirteen (13) as medium levels of risk, and three (3) as low risk levels\nin the original audit. Of the new control weaknesses identified during the audit, two (2)\nhave been determined to have high levels of risk and the remaining two (2) a medium\nlevel of risk.\n\nDuring the review, FCC management took proactive measures to investigate the\nconditions identified as open and initiated steps to resolve those conditions. As\napplicable, we have noted such activities of corrective actions in our report.\n\nAppendix A of this report provides the FCC Consumer Center Audit - Findings Summary\nwhich lists all open and new conditions identified during fieldwork. Appendix B of the\nreport, entitled FCC Consumer Center Audit - Detailed Findings, provides detailed\ninformation on the conditions identified during fieldwork. Additional fields to indicate\n(1) the status of conditions as reported by FCC management prior to the audit, (2)\nobservations from the follow-up audit, and (3) the status of the conditions as determined\nby the auditor were added to the Detailed Findings report provided in Audit Report No.\n00-AUD-01-12. The report also indicates corrective actions reported to have been taken\nduring our audit by FCC management to resolve conditions determined to have an open\nstatus. The report entitled FCC Consumer Center Audit - New Conditions Identified is\n\n\n\n                                              6\n\x0cincluded as Appendix C to document new conditions at the FCC Consumer Center\nidentified during the follow-up audit.\n\nOn September 30, 2002, we issued a draft report summarizing the results of our audit. In\nthat draft report, we requested that OMD and CGB prepare a joint response to the open\nand new findings and recommendations presented in our report and that the response be\nprovided by October 18, 2002. On November 27, 2002, we received a response to our\ndraft report.\n\nIn their response, OMD and CGB indicated concurrence with the recommendations made\nfor all twenty five (25) new and open findings. For seventeen (17) findings, OMD and\nCGB outlined the corrective action taken and/or a milestone schedule for implementation\nof corrective action. OMD and CGB partially concurred with eight (8) findings. We\nhave included a copy of the response from OMD and CGB in its entirety as Appendix D\nto this report. Where OMD and/or CGB disagreed with the finding or to clarify our\nposition, we have added a section titled \xe2\x80\x9cOIG Comments,\xe2\x80\x9d to explain our position or\nprovide additional comment.\n\nIn accordance with the Commission\xe2\x80\x99s directive on the management of non-public\ninformation, we have classified all appendices as \xe2\x80\x9cNon-Public \xe2\x80\x93 For Internal Use Only.\xe2\x80\x9d\nThose persons receiving this report are expected to follow the established policies and\nprocedures for managing and safeguarding this report in accordance with the\nCommission directive.\n\n\n\n\n                                           7\n\x0c'